Add option to use signing key protected by a passphrase

Signed-off-by: aneessahib <anees.a.sahib@intel.com>
gramineproject · Sep 26, 2022 · 08add16 · 08add16
1 parent f15a7a5
commit 08add16
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 8 deletions.
diff --git a/Documentation/index.rst b/Documentation/index.rst
@@ -144,6 +144,10 @@ of the signing key in them.
 
    Specify configuration file. Default: :file:`config.yaml`
 
+.. option:: -p
+
+   Provide passphrase for the enclave signing key (if applicable)
+
 .. option:: IMAGE-NAME
 
    Name of the application Docker image

diff --git a/gsc.py b/gsc.py
@@ -341,15 +341,18 @@ def gsc_sign_image(args):
     with open(tmp_build_path / 'Dockerfile.sign', 'w') as dockerfile:
         dockerfile.write(sign_template.render(image=unsigned_image_name))
 
-    # copy user-provided signing key to our tmp build dir (to copy it later inside Docker image)
+    # copy user-provided signing key and signing Bash script to our tmp build dir (to copy them
+    # later inside Docker image)
     tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem'
+    tmp_build_sign_path = tmp_build_path / 'sign.sh'
     shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path)
+    shutil.copyfile(os.path.abspath('sign.sh'), tmp_build_sign_path)
 
     try:
         # `forcerm` parameter forces removal of intermediate Docker images even after unsuccessful
         # builds, to not leave the signing key lingering in any Docker containers
         build_docker_image(docker_socket.api, tmp_build_path, signed_image_name, 'Dockerfile.sign',
-                           forcerm=True)
+                           forcerm=True, buildargs={"passphrase": args.passphrase})
     finally:
         os.remove(tmp_build_key_path)
 
@@ -484,6 +487,7 @@ def gsc_info_image(args):
     default='config.yaml', help='Specify configuration file.')
 sub_sign.add_argument('image', help='Name of the application (base) Docker image.')
 sub_sign.add_argument('key', help='Key to sign the Intel SGX enclaves inside the Docker image.')
+sub_sign.add_argument('-p', '--passphrase', help='Passphrase for the signing key.')
 
 sub_info = subcommands.add_parser('info-image', help='Retrieve information about a graminized '
                                   'Docker image')

diff --git a/sign.sh b/sign.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/expect
+spawn gramine-sgx-sign \
+      --key [lindex $argv 0] \
+      --manifest [lindex $argv 1] \
+      --output [lindex $argv 2]
+
+set timeout -1
+set times 0
+set maxtimes 1
+expect "Enter pass phrase for [lindex $argv 0]" {
+    if {$times > $maxtimes} {
+        exit 0
+    }
+    send "[lindex $argv 3]\r"
+    set times [ expr $times + 1];
+    exp_continue
+}
diff --git a/templates/Dockerfile.common.sign.template b/templates/Dockerfile.common.sign.template
@@ -1,14 +1,19 @@
 # Sign image in a separate stage to ensure that signing key is never part of the final image
 FROM {{image}} as unsigned_image
-
 COPY gsc-signer-key.pem /gramine/app_files/gsc-signer-key.pem
 
-RUN {% block path %}{% endblock %} gramine-sgx-sign \
-      --key /gramine/app_files/gsc-signer-key.pem \
-      --manifest /gramine/app_files/entrypoint.manifest \
-      --output /gramine/app_files/entrypoint.manifest.sgx
+ARG passphrase
+COPY sign.sh /gramine/app_files/sign.sh
+RUN chmod +x /gramine/app_files/sign.sh
+
+RUN {% block path %}{% endblock %} /gramine/app_files/sign.sh \
+      /gramine/app_files/gsc-signer-key.pem \
+      /gramine/app_files/entrypoint.manifest \
+      /gramine/app_files/entrypoint.manifest.sgx \
+      $passphrase
 
-# This trick removes all temporary files from the previous commands (including gsc-signer-key.pem)
+# This trick removes all temporary files from the previous commands (including gsc-signer-key.pem
+# and passphrase)
 FROM {{image}}
 
 COPY --from=unsigned_image /gramine/app_files/*.sig /gramine/app_files/

diff --git a/templates/centos/Dockerfile.build.template b/templates/centos/Dockerfile.build.template
@@ -9,6 +9,7 @@ RUN dnf update -y \
     &&  dnf install -y \
         binutils \
         epel-release \
+        expect \
         openssl \
         protobuf-c-devel \
         python3 \

diff --git a/templates/debian/Dockerfile.build.template b/templates/debian/Dockerfile.build.template
@@ -4,6 +4,7 @@
 RUN apt-get update \
     && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
         binutils \
+        expect \
         libcurl4-openssl-dev \
         libprotobuf-c-dev \
         locales \